use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class CreateRobot method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
* @throws org.cerberus.exception.CerberusException
* @throws org.json.JSONException
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
JSONObject jsonResponse = new JSONObject();
Answer ans = new Answer();
Gson gson = new Gson();
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
ans.setResultMessage(msg);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
response.setContentType("application/json");
String charset = request.getCharacterEncoding();
/**
* Parsing and securing all required parameters.
*/
// Parameter that are already controled by GUI (no need to decode) --> We SECURE them
// Parameter that needs to be secured --> We SECURE+DECODE them
String robot = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("robot"), null, charset);
String port = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("port"), null, charset);
String platform = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("platform"), null, charset);
String browser = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("browser"), null, charset);
String version = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("version"), "", charset);
String active = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("active"), "Y", charset);
String description = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("description"), "", charset);
String userAgent = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("useragent"), "", charset);
String screenSize = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("screensize"), "", charset);
String robotDecli = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("robotDecli"), "", charset);
String hostUser = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("hostUsername"), null, charset);
String hostPassword = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("hostPassword"), null, charset);
List<RobotCapability> capabilities = (List<RobotCapability>) (request.getParameter("capabilities") == null ? Collections.emptyList() : gson.fromJson(request.getParameter("capabilities"), new TypeToken<List<RobotCapability>>() {
}.getType()));
// Parameter that we cannot secure as we need the html --> We DECODE them
String host = ParameterParserUtil.parseStringParamAndDecode(request.getParameter("host"), null, charset);
// Securing capabilities by setting them the associated robot name
// Check also if there is no duplicated capability
Map<String, Object> capabilityMap = new HashMap<String, Object>();
for (RobotCapability capability : capabilities) {
capabilityMap.put(capability.getCapability(), null);
capability.setRobot(robot);
}
Integer robotid = 0;
boolean robotid_error = false;
try {
if (request.getParameter("robotid") != null && !request.getParameter("robotid").equals("")) {
robotid = Integer.valueOf(policy.sanitize(request.getParameter("robotid")));
}
} catch (Exception ex) {
robotid_error = true;
}
/**
* Checking all constrains before calling the services.
*/
if (StringUtil.isNullOrEmpty(robot)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "Robot name is missing."));
ans.setResultMessage(msg);
} else if (StringUtil.isNullOrEmpty(host)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "Robot host is missing."));
ans.setResultMessage(msg);
} else if (StringUtil.isNullOrEmpty(platform)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "Robot platform is missing."));
ans.setResultMessage(msg);
} else if (robotid_error) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "Could not manage to convert robotid to an integer value or robotid is missing."));
ans.setResultMessage(msg);
} else if (capabilityMap.size() != capabilities.size()) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "There is at least one duplicated capability. Please edit or remove it to continue."));
ans.setResultMessage(msg);
} else {
/**
* All data seems cleans so we can call the services.
*/
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
IRobotService robotService = appContext.getBean(IRobotService.class);
IFactoryRobot robotFactory = appContext.getBean(IFactoryRobot.class);
Robot robotData = robotFactory.create(robotid, robot, host, port, platform, browser, version, active, description, userAgent, screenSize, hostUser, hostPassword, capabilities, robotDecli);
ans = robotService.create(robotData);
if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
/**
* Object created. Adding Log entry.
*/
ILogEventService logEventService = appContext.getBean(LogEventService.class);
logEventService.createForPrivateCalls("/CreateRobot", "CREATE", "Create Robot : ['" + robot + "']", request);
}
}
/**
* Formating and returning the json result.
*/
jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", ans.getResultMessage().getDescription());
response.getWriter().print(jsonResponse);
response.getWriter().flush();
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class ReadDeployType method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
* @throws org.cerberus.exception.CerberusException
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException {
String echo = request.getParameter("sEcho");
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
response.setContentType("application/json");
response.setCharacterEncoding("utf8");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
// Default message to unexpected error.
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
/**
* Parsing and securing all required parameters.
*/
// Nothing to do here as no parameter to check.
//
// Global boolean on the servlet that define if the user has permition to edit and delete object.
boolean userHasPermissions = request.isUserInRole("Integrator");
// Get Parameters
String columnName = ParameterParserUtil.parseStringParam(request.getParameter("columnName"), "");
// Init Answer with potencial error from Parsing parameter.
AnswerItem answer = new AnswerItem(msg);
try {
JSONObject jsonResponse = new JSONObject();
if (!columnName.isEmpty()) {
answer = findDistinctValuesOfColumn(appContext, request, columnName);
jsonResponse = (JSONObject) answer.getItem();
} else if (request.getParameter("deploytype") == null) {
answer = findDeployTypeList(appContext, userHasPermissions, request);
jsonResponse = (JSONObject) answer.getItem();
} else {
String deployType = policy.sanitize(request.getParameter("deploytype"));
answer = findDeployTypeByID(deployType, appContext, userHasPermissions);
jsonResponse = (JSONObject) answer.getItem();
}
jsonResponse.put("messageType", answer.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", answer.getResultMessage().getDescription());
jsonResponse.put("sEcho", echo);
response.getWriter().print(jsonResponse.toString());
} catch (JSONException e) {
LOG.warn(e);
// returns a default error message with the json format that is able to be parsed by the client-side
response.getWriter().print(AnswerUtil.createGenericErrorAnswer());
}
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class ReadSqlLibrary method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// Get SqlLibrarys
String echo = request.getParameter("sEcho");
String columnName = ParameterParserUtil.parseStringParam(request.getParameter("columnName"), "");
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
response.setContentType("application/json");
response.setCharacterEncoding("utf8");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
// Default message to unexpected error.
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
/**
* Parsing and securing all required sqlLibrarys.
*/
// Nothing to do here as no sqlLibrary to check.
//
// Global boolean on the servlet that define if the user has permition to edit and delete object.
boolean userHasPermissions = request.isUserInRole("TestAdmin");
// Init Answer with potencial error from Parsing sqlLibrary.
AnswerItem answer = new AnswerItem(new MessageEvent(MessageEventEnum.DATA_OPERATION_OK));
try {
JSONObject jsonResponse;
String system;
if (request.getParameter("name") == null && Strings.isNullOrEmpty(columnName)) {
answer = findSqlLibraryList(appContext, userHasPermissions, request);
jsonResponse = (JSONObject) answer.getItem();
} else if (!Strings.isNullOrEmpty(columnName)) {
answer = findDistinctValuesOfColumn(appContext, request, columnName);
jsonResponse = (JSONObject) answer.getItem();
} else {
answer = findSqlLibraryBySystemByKey(request.getParameter("name"), appContext, userHasPermissions);
jsonResponse = (JSONObject) answer.getItem();
}
jsonResponse.put("messageType", answer.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", answer.getResultMessage().getDescription());
jsonResponse.put("sEcho", echo);
response.getWriter().print(jsonResponse.toString());
} catch (JSONException e) {
LOG.warn(e);
// returns a default error message with the json format that is able to be parsed by the client-side
response.getWriter().print(AnswerUtil.createGenericErrorAnswer());
}
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class UpdateApplication method getCountryEnvironmentApplicationFromParameter.
private List<CountryEnvironmentParameters> getCountryEnvironmentApplicationFromParameter(HttpServletRequest request, ApplicationContext appContext, String system, String application, JSONArray json) throws JSONException {
List<CountryEnvironmentParameters> cedList = new ArrayList();
ICountryEnvironmentParametersService ceaService = appContext.getBean(ICountryEnvironmentParametersService.class);
IFactoryCountryEnvironmentParameters cedFactory = appContext.getBean(IFactoryCountryEnvironmentParameters.class);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String charset = request.getCharacterEncoding();
for (int i = 0; i < json.length(); i++) {
JSONObject tcsaJson = json.getJSONObject(i);
// Parameter that are already controled by GUI (no need to decode) --> We SECURE them
boolean delete = tcsaJson.getBoolean("toDelete");
String country = policy.sanitize(tcsaJson.getString("country"));
String environment = policy.sanitize(tcsaJson.getString("environment"));
// Parameter that needs to be secured --> We SECURE+DECODE them
// Parameter that we cannot secure as we need the html --> We DECODE them
String ip = tcsaJson.getString("ip");
String domain = tcsaJson.getString("domain");
String url = tcsaJson.getString("url");
String urlLogin = tcsaJson.getString("urlLogin");
String var1 = tcsaJson.getString("var1");
String var2 = tcsaJson.getString("var2");
String var3 = tcsaJson.getString("var3");
String var4 = tcsaJson.getString("var4");
String strPoolSize = tcsaJson.getString("poolSize");
int poolSize;
if (strPoolSize.isEmpty()) {
poolSize = CountryEnvironmentParameters.DEFAULT_POOLSIZE;
} else {
try {
poolSize = Integer.parseInt(strPoolSize);
} catch (NumberFormatException e) {
LOG.warn("Unable to parse pool size: " + strPoolSize + ". Applying default value");
poolSize = CountryEnvironmentParameters.DEFAULT_POOLSIZE;
}
}
if (!delete) {
CountryEnvironmentParameters ced = cedFactory.create(system, country, environment, application, ip, domain, url, urlLogin, var1, var2, var3, var4, poolSize);
cedList.add(ced);
}
}
return cedList;
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class UpdateDeployType method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
JSONObject jsonResponse = new JSONObject();
Answer ans = new Answer();
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
ans.setResultMessage(msg);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
response.setContentType("application/json");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
/**
* Parsing and securing all required parameters.
*/
String deployType = policy.sanitize(request.getParameter("deploytype"));
String description = policy.sanitize(request.getParameter("description"));
/**
* Checking all constrains before calling the services.
*/
if (StringUtil.isNullOrEmpty(deployType)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Deploy Type").replace("%OPERATION%", "Update").replace("%REASON%", "Deploy Type (deploytype) is missing"));
ans.setResultMessage(msg);
} else {
/**
* All data seems cleans so we can call the services.
*/
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
IDeployTypeService deployTypeService = appContext.getBean(IDeployTypeService.class);
AnswerItem resp = deployTypeService.readByKey(deployType);
if (!(resp.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode()) && resp.getItem() != null)) {
/**
* Object could not be found. We stop here and report the error.
*/
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Deploy Type").replace("%OPERATION%", "Update").replace("%REASON%", "Deploy Type does not exist."));
ans.setResultMessage(msg);
} else {
/**
* The service was able to perform the query and confirm the
* object exist, then we can update it.
*/
DeployType deployTypeData = (DeployType) resp.getItem();
deployTypeData.setDescription(description);
ans = deployTypeService.update(deployTypeData);
if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
/**
* Update was successful. Adding Log entry.
*/
ILogEventService logEventService = appContext.getBean(LogEventService.class);
logEventService.createForPrivateCalls("/UpdateDeployType", "UPDATE", "Updated Deploy Type : ['" + deployType + "']", request);
}
}
}
/**
* Formating and returning the json result.
*/
jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", ans.getResultMessage().getDescription());
response.getWriter().print(jsonResponse);
response.getWriter().flush();
}
Aggregations